gh0strat | 4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a

Analysis

max time kernel
111s
max time network
112s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 07:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a.msi
Size

13.7MB
MD5

afb73daab97a1a8fb156ed34715a01ca
SHA1

ecb0ea164d1d1ceea4a0fb0d06f61345f4a65ac3
SHA256

4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a
SHA512

35dec58a6525f91f6edb2cd9ef3e53f76cbee700ac7e489cda85a443835d210cbef4d369eb3084cb4ad8f5a06a281ea35908249ff6a4f566623c99d7c94487e9
SSDEEP

393216:w3Bp4yJDyaxkvEIeg/sczcezXEbpFS+zYeOPuet:WBy0Gax2fbDlzEbpFfzYeO

Score

10^/10

gh0strat purplefox discovery evasion rat rootkit trojan vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1880-112-0x0000000000400000-0x00000000006A8000-memory.dmp	purplefox_rootkit
behavioral1/memory/1880-113-0x0000000010000000-0x0000000010192000-memory.dmp	purplefox_rootkit
behavioral1/memory/1880-145-0x0000000000400000-0x00000000006A8000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1880-112-0x0000000000400000-0x00000000006A8000-memory.dmp	family_gh0strat
behavioral1/memory/1880-113-0x0000000010000000-0x0000000010192000-memory.dmp	family_gh0strat
behavioral1/memory/1880-145-0x0000000000400000-0x00000000006A8000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET6182.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET6182.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Executes dropped EXE 9 IoCs

Processes:

MSI7755.tmpkk.exeletsvpn.exetapinstall.exetapinstall.exelsp.exetapinstall.exeLetsPRO.exeLetsPRO.exe

pid process

1260 MSI7755.tmp
1984 kk.exe
1476 letsvpn.exe
1848 tapinstall.exe
472 tapinstall.exe
1880 lsp.exe
548 tapinstall.exe
1808 LetsPRO.exe
1800 LetsPRO.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1272 netsh.exe
740 netsh.exe
856 netsh.exe
1672 netsh.exe

pid	process
1272	netsh.exe
740	netsh.exe
856	netsh.exe
1672	netsh.exe

VMProtect packed file 17 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\Installer\MSI7755.tmp	vmprotect
behavioral1/memory/1260-60-0x0000000000400000-0x0000000001DFA000-memory.dmp	vmprotect
behavioral1/memory/1260-59-0x0000000000400000-0x0000000001DFA000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
behavioral1/memory/1984-66-0x0000000000400000-0x0000000000437000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
behavioral1/memory/1260-72-0x0000000000400000-0x0000000001DFA000-memory.dmp	vmprotect
behavioral1/memory/1984-74-0x0000000000400000-0x0000000000437000-memory.dmp	vmprotect
C:\Users\Public\Videos\lsp.exe	vmprotect
\Users\Public\Videos\lsp.exe	vmprotect
\Users\Public\Videos\lsp.exe	vmprotect
C:\Users\Public\Videos\lsp.exe	vmprotect
behavioral1/memory/1880-112-0x0000000000400000-0x00000000006A8000-memory.dmp	vmprotect
behavioral1/memory/1880-108-0x0000000000400000-0x00000000006A8000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
behavioral1/memory/1880-145-0x0000000000400000-0x00000000006A8000-memory.dmp	vmprotect

Loads dropped DLL 34 IoCs

Processes:

MSI7755.tmpletsvpn.exekk.exeLetsPRO.exeLetsPRO.exe

pid	process
1260	MSI7755.tmp
1260	MSI7755.tmp
1260	MSI7755.tmp
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1984	kk.exe
1984	kk.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1808	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe
1800	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 21 IoCs

Processes:

DrvInst.exetapinstall.exeDrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\SETC110.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_5a1fec2fbbccefcc\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\tap0901.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\SETC120.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_5a1fec2fbbccefcc\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\SETC0FF.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\SETC0FF.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\SETC110.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\SETC120.tmp	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

letsvpn.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Globalization.Calendars.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Xml.ReaderWriter.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Xml.XmlSerializer.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\netstandard.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\arm64\WebView2Loader.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.AppContext.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.NetworkInformation.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Numerics.Vectors.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.Serialization.Json.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.Process.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Threading.Tasks.Parallel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.Security.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.ObjectModel.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.Handles.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\SQLiteNetExtensions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\SQLitePCLRaw.provider.dynamic_cdecl.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.Http.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.Ping.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.Requests.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Text.Encoding.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\x64	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\SQLitePCLRaw.core.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Console.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.WebSockets.Client.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.Serialization.Xml.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Threading.Tasks.Parallel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.Serialization.Xml.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\Mono.Cecil.Mdb.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.Debug.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.Process.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.Expressions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.Parallel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.FileVersionInfo.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.Expressions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\zh-HK\LetsPRO.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\zh-CN	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\PusherClient.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Collections.Specialized.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Security.Cryptography.Algorithms.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Text.RegularExpressions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Threading.Thread.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Globalization.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.IO.MemoryMappedFiles.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Security.Cryptography.Primitives.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Xml.XPath.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Memory.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.WebHeaderCollection.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Reflection.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\ICSharpCode.AvalonEdit.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\Microsoft.AppCenter.Crashes.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\SQLite-net.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\SQLitePCLRaw.core.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\SharpCompress.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Xml.XPath.XDocument.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\zh-TW\LetsPRO.resources.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\uninst.exe	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Drawing.Primitives.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.IO.FileSystem.Watcher.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.IPNetwork.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\FontAwesome.WPF.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\Hardcodet.Wpf.TaskbarNotification.dll	letsvpn.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exetapinstall.exeDrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\6c6df2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c6df0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c6df0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7755.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI7669.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c6df2.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

1152 SCHTASKS.exe

pid	process
1152	SCHTASKS.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@tcpipcfg.dll,-50002 = "TCP/IP version 6. The latest version of the internet protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

msiexec.exekk.exeletsvpn.exe

pid	process
952	msiexec.exe
952	msiexec.exe
1984	kk.exe
1984	kk.exe
1984	kk.exe
1984	kk.exe
1984	kk.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe
1984	kk.exe
1984	kk.exe
1984	kk.exe
1476	letsvpn.exe
1476	letsvpn.exe
1476	letsvpn.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exetapinstall.exe

description	pid	process
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeSecurityPrivilege	952	msiexec.exe
Token: SeCreateTokenPrivilege	1048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1048	msiexec.exe
Token: SeLockMemoryPrivilege	1048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1048	msiexec.exe
Token: SeMachineAccountPrivilege	1048	msiexec.exe
Token: SeTcbPrivilege	1048	msiexec.exe
Token: SeSecurityPrivilege	1048	msiexec.exe
Token: SeTakeOwnershipPrivilege	1048	msiexec.exe
Token: SeLoadDriverPrivilege	1048	msiexec.exe
Token: SeSystemProfilePrivilege	1048	msiexec.exe
Token: SeSystemtimePrivilege	1048	msiexec.exe
Token: SeProfSingleProcessPrivilege	1048	msiexec.exe
Token: SeIncBasePriorityPrivilege	1048	msiexec.exe
Token: SeCreatePagefilePrivilege	1048	msiexec.exe
Token: SeCreatePermanentPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	1048	msiexec.exe
Token: SeRestorePrivilege	1048	msiexec.exe
Token: SeShutdownPrivilege	1048	msiexec.exe
Token: SeDebugPrivilege	1048	msiexec.exe
Token: SeAuditPrivilege	1048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1048	msiexec.exe
Token: SeChangeNotifyPrivilege	1048	msiexec.exe
Token: SeRemoteShutdownPrivilege	1048	msiexec.exe
Token: SeUndockPrivilege	1048	msiexec.exe
Token: SeSyncAgentPrivilege	1048	msiexec.exe
Token: SeEnableDelegationPrivilege	1048	msiexec.exe
Token: SeManageVolumePrivilege	1048	msiexec.exe
Token: SeImpersonatePrivilege	1048	msiexec.exe
Token: SeCreateGlobalPrivilege	1048	msiexec.exe
Token: SeBackupPrivilege	1296	vssvc.exe
Token: SeRestorePrivilege	1296	vssvc.exe
Token: SeAuditPrivilege	1296	vssvc.exe
Token: SeBackupPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	1700	DrvInst.exe
Token: SeLoadDriverPrivilege	1700	DrvInst.exe
Token: SeLoadDriverPrivilege	1700	DrvInst.exe
Token: SeLoadDriverPrivilege	1700	DrvInst.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	952	msiexec.exe
Token: SeTakeOwnershipPrivilege	952	msiexec.exe
Token: SeRestorePrivilege	472	tapinstall.exe
Token: SeRestorePrivilege	472	tapinstall.exe
Token: SeRestorePrivilege	472	tapinstall.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1048 msiexec.exe
1048 msiexec.exe

pid	process
1048	msiexec.exe
1048	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMSI7755.tmpletsvpn.exeDrvInst.exekk.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 952 wrote to memory of 1260	952	msiexec.exe	MSI7755.tmp
PID 952 wrote to memory of 1260	952	msiexec.exe	MSI7755.tmp
PID 952 wrote to memory of 1260	952	msiexec.exe	MSI7755.tmp
PID 952 wrote to memory of 1260	952	msiexec.exe	MSI7755.tmp
PID 1260 wrote to memory of 1984	1260	MSI7755.tmp	kk.exe
PID 1260 wrote to memory of 1984	1260	MSI7755.tmp	kk.exe
PID 1260 wrote to memory of 1984	1260	MSI7755.tmp	kk.exe
PID 1260 wrote to memory of 1984	1260	MSI7755.tmp	kk.exe
PID 1260 wrote to memory of 1476	1260	MSI7755.tmp	letsvpn.exe
PID 1260 wrote to memory of 1476	1260	MSI7755.tmp	letsvpn.exe
PID 1260 wrote to memory of 1476	1260	MSI7755.tmp	letsvpn.exe
PID 1260 wrote to memory of 1476	1260	MSI7755.tmp	letsvpn.exe
PID 1476 wrote to memory of 1848	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 1848	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 1848	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 1848	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 472	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 472	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 472	1476	letsvpn.exe	tapinstall.exe
PID 1476 wrote to memory of 472	1476	letsvpn.exe	tapinstall.exe
PID 1044 wrote to memory of 1272	1044	DrvInst.exe	rundll32.exe
PID 1044 wrote to memory of 1272	1044	DrvInst.exe	rundll32.exe
PID 1044 wrote to memory of 1272	1044	DrvInst.exe	rundll32.exe
PID 1984 wrote to memory of 1880	1984	kk.exe	lsp.exe
PID 1984 wrote to memory of 1880	1984	kk.exe	lsp.exe
PID 1984 wrote to memory of 1880	1984	kk.exe	lsp.exe
PID 1984 wrote to memory of 1880	1984	kk.exe	lsp.exe
PID 1984 wrote to memory of 1152	1984	kk.exe	SCHTASKS.exe
PID 1984 wrote to memory of 1152	1984	kk.exe	SCHTASKS.exe
PID 1984 wrote to memory of 1152	1984	kk.exe	SCHTASKS.exe
PID 1984 wrote to memory of 1152	1984	kk.exe	SCHTASKS.exe
PID 1476 wrote to memory of 320	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 320	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 320	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 320	1476	letsvpn.exe	cmd.exe
PID 320 wrote to memory of 856	320	cmd.exe	netsh.exe
PID 320 wrote to memory of 856	320	cmd.exe	netsh.exe
PID 320 wrote to memory of 856	320	cmd.exe	netsh.exe
PID 320 wrote to memory of 856	320	cmd.exe	netsh.exe
PID 1476 wrote to memory of 1600	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1600	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1600	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1600	1476	letsvpn.exe	cmd.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1600 wrote to memory of 1672	1600	cmd.exe	netsh.exe
PID 1476 wrote to memory of 1120	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1120	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1120	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1120	1476	letsvpn.exe	cmd.exe
PID 1120 wrote to memory of 1272	1120	cmd.exe	netsh.exe
PID 1120 wrote to memory of 1272	1120	cmd.exe	netsh.exe
PID 1120 wrote to memory of 1272	1120	cmd.exe	netsh.exe
PID 1120 wrote to memory of 1272	1120	cmd.exe	netsh.exe
PID 1476 wrote to memory of 1796	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1796	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1796	1476	letsvpn.exe	cmd.exe
PID 1476 wrote to memory of 1796	1476	letsvpn.exe	cmd.exe
PID 1796 wrote to memory of 740	1796	cmd.exe	netsh.exe
PID 1796 wrote to memory of 740	1796	cmd.exe	netsh.exe
PID 1796 wrote to memory of 740	1796	cmd.exe	netsh.exe
PID 1796 wrote to memory of 740	1796	cmd.exe	netsh.exe
PID 1476 wrote to memory of 548	1476	letsvpn.exe	tapinstall.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1048

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\Installer\MSI7755.tmp
"C:\Windows\Installer\MSI7755.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\kk.exe
C:\Users\Admin\AppData\Local\Temp\kk.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Public\Videos\lsp.exe
C:\Users\Public\Videos\lsp.exe
4⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC ONLOGON /TN active /F /RL HIGHEST /TR C:\Users\Public\Pictures\34497\ttvip.exe
4⤵
- Creates scheduled task(s)
PID:1152

C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
4⤵
- Executes dropped EXE
PID:1848

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=lets
4⤵
- Suspicious use of WriteProcessMemory
PID:320

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=lets
5⤵
- Modifies Windows Firewall
PID:856

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=lets.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=lets.exe
5⤵
- Modifies Windows Firewall
PID:1672

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1120

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=LetsPRO.exe
5⤵
- Modifies Windows Firewall
PID:1272

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
4⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=LetsPRO
5⤵
- Modifies Windows Firewall
PID:740

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
4⤵
- Executes dropped EXE
PID:548

C:\Program Files (x86)\letsvpn\LetsPRO.exe
"C:\Program Files (x86)\letsvpn\LetsPRO.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808

C:\Program Files (x86)\letsvpn\app-3.2.8\LetsPRO.exe
"C:\Program Files (x86)\letsvpn\app-3.2.8\LetsPRO.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000328" "00000000000004AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{794cef48-14ce-5cb7-8e63-d25c26ba2536}\oemvista.inf" "9" "6d14a44ff" "00000000000004D4" "WinSta0\Default" "000000000000049C" "208" "c:\program files (x86)\letsvpn\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{11b157eb-eaa8-1c91-44bf-205d9526af26} Global\{7dbd7fef-9629-6ec2-45e1-8d3fac068957} C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\tap0901.cat
2⤵
PID:1272

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000003E0" "00000000000005D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1800

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.9:tap0901" "6d14a44ff" "00000000000004D4" "00000000000005E4" "00000000000003AC"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
C:\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\LetsPRO.exe
Filesize
1.1MB

MD5
f580b1afeda311cc16ec79604013c986

SHA1
c96f803de28e422310a2076f757983b76d4c8516

SHA256
3761076fcc52c1e7dd303496bff5ec64220092f2853e2b6006bf645d61a55092

SHA512
5d0bd2596c2025ae41ff52eabb64916220f879b6c471c743002ab92d609a155127cd7b9ea2100a690e0cd5a48687e91e1f95bc511b9802aefcb173d23da5dba9

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\LetsPRO.exe
Filesize
1.1MB

MD5
f580b1afeda311cc16ec79604013c986

SHA1
c96f803de28e422310a2076f757983b76d4c8516

SHA256
3761076fcc52c1e7dd303496bff5ec64220092f2853e2b6006bf645d61a55092

SHA512
5d0bd2596c2025ae41ff52eabb64916220f879b6c471c743002ab92d609a155127cd7b9ea2100a690e0cd5a48687e91e1f95bc511b9802aefcb173d23da5dba9

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\LetsPRO.exe.config
Filesize
19KB

MD5
bdcc4e908528fd2f68e4d9f96437a842

SHA1
e47b8bf8d5e05a9a486dc33ee246acb2238d200c

SHA256
9a423e934ca02f113551dddd90f96292b0da4b2b9c6144e1163db6bb7c96f92c

SHA512
86a0a4331843d8ac9ac701e1a9dec1ccef69c6d7223fc87366b74b0f186eaab26256088c0ba8c4d5ac42f65adc82be894e6a926887728a800fb160cb87a4f00e

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\Newtonsoft.Json.dll
Filesize
686KB

MD5
22da3e608b9d6510c367a4119aa7226a

SHA1
c46604ca2ddc8b50cbf8249ea7720c1a49703cff

SHA256
74255fe55ff2e6e52f1e38bd9b9b21a0e3bd47d79cd7ddc2c235d3bd36684a7e

SHA512
be4745c006705069bdc3e15ae3bb7e668ce3ba9bccb81feebde62c98b54e9a8b4aed6f9709fb1d9beb5c01d5af1fef84e62c5fc6bafe5d79e92b00785c66f430

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\Utils.dll
Filesize
118KB

MD5
28a9a91d4b13236fd04a5eaa75e798d0

SHA1
84c064ece148297bf5606cde083ea811ba10a5ef

SHA256
87cf0aeccada8867f1d80f59531403ba8ad0489caf160b6c3401163d61c200fe

SHA512
e49f2aa77cae28b5bab90356fcc318cc2f93b61b1df2d8ceb535106126c85bb09925ab16f9763f4e67dce53a4edf4bb6fa5b2579937ed7372c5af0f513fc09b5

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\log4net.config
Filesize
3KB

MD5
28f9077c304d8c626554818a5b5f3b3a

SHA1
a01f735fe348383795d61aadd6aab0cc3a9db190

SHA256
746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90

SHA512
485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e

Download Submit
C:\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll
Filesize
274KB

MD5
985916905fc9b8222c3e65c8873cab91

SHA1
95c7ce0a1d94918a234694f1917d9eef3b289035

SHA256
252a303763cf7810679255cfbf761d2a5ce3b41b193070f0c5ebcbc52238e1c8

SHA512
436b0d24a7e23ab424dce69608969f35fcc88b4caa5c1bb2eeaee8bf54a4c2c0c9cbfe3a0e82c81fae22d1acdb037648972c6860e831a851fb42276ff5e97354

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
Filesize
12.3MB

MD5
8834ec8d35669dd623ba5c6986ff2748

SHA1
1a475633f1ea1ab47edb1c030ce2ea933c0a934c

SHA256
addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

SHA512
00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
Filesize
12.3MB

MD5
8834ec8d35669dd623ba5c6986ff2748

SHA1
1a475633f1ea1ab47edb1c030ce2ea933c0a934c

SHA256
addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

SHA512
00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{794CE~1\tap0901.sys
Filesize
39KB

MD5
3c32ff010f869bc184df71290477384e

SHA1
9dec39ca0d13cd4aadf4120de29665c426be9f2b

SHA256
55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

SHA512
2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{794cef48-14ce-5cb7-8e63-d25c26ba2536}\oemvista.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{794cef48-14ce-5cb7-8e63-d25c26ba2536}\tap0901.cat
Filesize
10KB

MD5
0365c95d5be2b3d314dcc019380c0e11

SHA1
c269cee763f580e890d2eae42a8e98116e04a232

SHA256
6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

SHA512
9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

Download Submit
C:\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
C:\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
C:\Windows\INF\oem2.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Windows\Installer\MSI7755.tmp
Filesize
13.5MB

MD5
527111c6ff1bed78302d2a59a772bebe

SHA1
94dcdb1aa606356a613584e016d201fe9246e0f3

SHA256
97935af097104cb5cbafefb482f1e748613eeb6dadf80bc95c88fcc2aac6580c

SHA512
12c30789892746c02478ac9f920f3b6eeb37de2d36b432ba3aa4e13980eeffa869cf0be381c9a50f80dabbdfdd5d61a0a36c53dcf55ecf37b6b50690f4dae6e8

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\OEMVIS~1.INF\tap0901.sys
Filesize
39KB

MD5
3c32ff010f869bc184df71290477384e

SHA1
9dec39ca0d13cd4aadf4120de29665c426be9f2b

SHA256
55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

SHA512
2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_5a1fec2fbbccefcc\oemvista.PNF
Filesize
8KB

MD5
eb8620170c62608d6ec47b55d26e5ef6

SHA1
dcb9ff8999cfba00586c8145a7a145137c07064a

SHA256
defdd5c8d38ace4bc8163e0d14626f379660f2410681ff0f0f7eb39434a1bc0e

SHA512
7fea8dc329b4425a292d8a7c11e6a090ce836c233fa88091c14240a01d47a7e6997921f87b237194d32971fc0eac36e1cbc985d20533ef8b227758612f80276a

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1
Filesize
1.4MB

MD5
0df1b9d013abe532fc21291dff84d4e1

SHA1
cf6306af9d950aaceede3ed87546a4aa93553a2d

SHA256
5fd1cdf698b725e753afee698943a3bb23047a804c59d787c0425a3111cbe21c

SHA512
0641f4dc3a99f4128a728885b464855fee1bc534c826a41c623e46f8955046150b69e740723feb3aaef2a708aaeb2a7b3a88a38ff1bac1c0baa112b820d9ebc1

Download Submit
C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\oemvista.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Windows\System32\DriverStore\Temp\{672ae369-aa17-565f-e36e-5a78ba92b570}\tap0901.cat
Filesize
10KB

MD5
0365c95d5be2b3d314dcc019380c0e11

SHA1
c269cee763f580e890d2eae42a8e98116e04a232

SHA256
6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

SHA512
9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys
Filesize
39KB

MD5
3c32ff010f869bc184df71290477384e

SHA1
9dec39ca0d13cd4aadf4120de29665c426be9f2b

SHA256
55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

SHA512
2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat
Filesize
10KB

MD5
0365c95d5be2b3d314dcc019380c0e11

SHA1
c269cee763f580e890d2eae42a8e98116e04a232

SHA256
6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

SHA512
9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\LetsPRO.exe
Filesize
1.1MB

MD5
f580b1afeda311cc16ec79604013c986

SHA1
c96f803de28e422310a2076f757983b76d4c8516

SHA256
3761076fcc52c1e7dd303496bff5ec64220092f2853e2b6006bf645d61a55092

SHA512
5d0bd2596c2025ae41ff52eabb64916220f879b6c471c743002ab92d609a155127cd7b9ea2100a690e0cd5a48687e91e1f95bc511b9802aefcb173d23da5dba9

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\Newtonsoft.Json.dll
Filesize
686KB

MD5
22da3e608b9d6510c367a4119aa7226a

SHA1
c46604ca2ddc8b50cbf8249ea7720c1a49703cff

SHA256
74255fe55ff2e6e52f1e38bd9b9b21a0e3bd47d79cd7ddc2c235d3bd36684a7e

SHA512
be4745c006705069bdc3e15ae3bb7e668ce3ba9bccb81feebde62c98b54e9a8b4aed6f9709fb1d9beb5c01d5af1fef84e62c5fc6bafe5d79e92b00785c66f430

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\Utils.dll
Filesize
118KB

MD5
28a9a91d4b13236fd04a5eaa75e798d0

SHA1
84c064ece148297bf5606cde083ea811ba10a5ef

SHA256
87cf0aeccada8867f1d80f59531403ba8ad0489caf160b6c3401163d61c200fe

SHA512
e49f2aa77cae28b5bab90356fcc318cc2f93b61b1df2d8ceb535106126c85bb09925ab16f9763f4e67dce53a4edf4bb6fa5b2579937ed7372c5af0f513fc09b5

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\Utils.dll
Filesize
118KB

MD5
28a9a91d4b13236fd04a5eaa75e798d0

SHA1
84c064ece148297bf5606cde083ea811ba10a5ef

SHA256
87cf0aeccada8867f1d80f59531403ba8ad0489caf160b6c3401163d61c200fe

SHA512
e49f2aa77cae28b5bab90356fcc318cc2f93b61b1df2d8ceb535106126c85bb09925ab16f9763f4e67dce53a4edf4bb6fa5b2579937ed7372c5af0f513fc09b5

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll
Filesize
274KB

MD5
985916905fc9b8222c3e65c8873cab91

SHA1
95c7ce0a1d94918a234694f1917d9eef3b289035

SHA256
252a303763cf7810679255cfbf761d2a5ce3b41b193070f0c5ebcbc52238e1c8

SHA512
436b0d24a7e23ab424dce69608969f35fcc88b4caa5c1bb2eeaee8bf54a4c2c0c9cbfe3a0e82c81fae22d1acdb037648972c6860e831a851fb42276ff5e97354

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll
Filesize
274KB

MD5
985916905fc9b8222c3e65c8873cab91

SHA1
95c7ce0a1d94918a234694f1917d9eef3b289035

SHA256
252a303763cf7810679255cfbf761d2a5ce3b41b193070f0c5ebcbc52238e1c8

SHA512
436b0d24a7e23ab424dce69608969f35fcc88b4caa5c1bb2eeaee8bf54a4c2c0c9cbfe3a0e82c81fae22d1acdb037648972c6860e831a851fb42276ff5e97354

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll
Filesize
274KB

MD5
985916905fc9b8222c3e65c8873cab91

SHA1
95c7ce0a1d94918a234694f1917d9eef3b289035

SHA256
252a303763cf7810679255cfbf761d2a5ce3b41b193070f0c5ebcbc52238e1c8

SHA512
436b0d24a7e23ab424dce69608969f35fcc88b4caa5c1bb2eeaee8bf54a4c2c0c9cbfe3a0e82c81fae22d1acdb037648972c6860e831a851fb42276ff5e97354

Download Submit
\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll
Filesize
274KB

MD5
985916905fc9b8222c3e65c8873cab91

SHA1
95c7ce0a1d94918a234694f1917d9eef3b289035

SHA256
252a303763cf7810679255cfbf761d2a5ce3b41b193070f0c5ebcbc52238e1c8

SHA512
436b0d24a7e23ab424dce69608969f35fcc88b4caa5c1bb2eeaee8bf54a4c2c0c9cbfe3a0e82c81fae22d1acdb037648972c6860e831a851fb42276ff5e97354

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
\Users\Admin\AppData\Local\Temp\letsvpn.exe
Filesize
12.3MB

MD5
8834ec8d35669dd623ba5c6986ff2748

SHA1
1a475633f1ea1ab47edb1c030ce2ea933c0a934c

SHA256
addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

SHA512
00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\System.dll
Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsDialogs.dll
Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8622.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
memory/320-125-0x0000000000000000-mapping.dmp

Download
memory/340-123-0x0000000000800000-0x0000000000826000-memory.dmp

Filesize
152KB

Download
memory/472-88-0x0000000000000000-mapping.dmp

Download
memory/548-142-0x0000000000000000-mapping.dmp

Download
memory/740-138-0x0000000000000000-mapping.dmp

Download
memory/856-126-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x000007FEFC281000-0x000007FEFC283000-memory.dmp

Filesize
8KB

Download
memory/1120-133-0x0000000000000000-mapping.dmp

Download
memory/1152-106-0x0000000000000000-mapping.dmp

Download
memory/1260-58-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1260-71-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/1260-73-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/1260-72-0x0000000000400000-0x0000000001DFA000-memory.dmp

Filesize
26.0MB

Download
memory/1260-59-0x0000000000400000-0x0000000001DFA000-memory.dmp

Filesize
26.0MB

Download
memory/1260-60-0x0000000000400000-0x0000000001DFA000-memory.dmp

Filesize
26.0MB

Download
memory/1260-56-0x0000000000000000-mapping.dmp

Download
memory/1260-100-0x00000000003C0000-0x00000000003F7000-memory.dmp

Filesize
220KB

Download
memory/1272-96-0x0000000000000000-mapping.dmp

Download
memory/1272-134-0x0000000000000000-mapping.dmp

Download
memory/1476-68-0x0000000000000000-mapping.dmp

Download
memory/1600-129-0x0000000000000000-mapping.dmp

Download
memory/1672-130-0x0000000000000000-mapping.dmp

Download
memory/1796-137-0x0000000000000000-mapping.dmp

Download
memory/1800-164-0x00000000009B0000-0x00000000009F6000-memory.dmp

Filesize
280KB

Download
memory/1800-160-0x0000000000560000-0x0000000000582000-memory.dmp

Filesize
136KB

Download
memory/1800-156-0x0000000000A80000-0x0000000000B9E000-memory.dmp

Filesize
1.1MB

Download
memory/1800-171-0x0000000004AE0000-0x0000000004B90000-memory.dmp

Filesize
704KB

Download
memory/1800-153-0x0000000000000000-mapping.dmp

Download
memory/1808-148-0x0000000000000000-mapping.dmp

Download
memory/1848-84-0x0000000000000000-mapping.dmp

Download
memory/1880-104-0x0000000000000000-mapping.dmp

Download
memory/1880-113-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/1880-145-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/1880-108-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/1880-112-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/1984-110-0x0000000003000000-0x00000000032A8000-memory.dmp

Filesize
2.7MB

Download
memory/1984-66-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1984-63-0x0000000000000000-mapping.dmp

Download
memory/1984-74-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1984-109-0x0000000003000000-0x00000000032A8000-memory.dmp

Filesize
2.7MB

Download